Security does not appear in "Opensearch Plugins"

Versions

• Opensearch: 2.4.1 (via Docker from opensearchproject/opensearch:latest)
• Opensearch Dashboards: v 2.4.1 (via Docker from opensearchproject/opensearch-dashboards:latest

Describe the issue:

I’m trying to setup opensearch with opensearch-dashboards but cannot get the Dashboards Security Plugin to appear in the Dashboards’s side panel.

As mentioned in Permissions required for user to see "Security" tab in OpenSearch Dashboards I have made sure to have the plugins.security.restapi.roles_enabled setting present in the opensearch configuration, but unlike in the other thread I cannot get it to work…

Is there anything obvious that seems odd in my configuration?

What did irritate me was that the dashboards does report “plugin-discovery” for all plugins present in its plugins/ directory, excluding securityDashboards - is that an expected behaviour?

Configuration:

• opensearch through environment variables

  "cluster.name" = "opensearch"
  "cluster.routing.allocation.disk.threshold_enabled" = "false" # TODO: check this
  "compatibility.override_main_response_version" = "true" # talk to filebeat-oss-7.12.1
  "discovery.type" = "single-node" # no cluster
  "http.host" = "127.0.0.1"
  "http.port" = "${NOMAD_PORT_opensearch_9200}"
  "logger.level" = "DEBUG"
  "logger.org.opensearch.plugins.PluginSecurity" = "DEBUG"
  "network.host" = "127.0.0.1"
  "node.max_local_storage_nodes" = "4"
  "node.name" = "opensearch"
  "plugins.security.authcz.admin_dn" = "[\"CN=admin,OU=SSL,O=Test,L=Test,C=DE\"]"
  "plugins.security.restapi.roles_enabled" = "[\"all_access\",\"security_rest_api_access\"]"
  "plugins.security.allow_default_init_securityindex" = true
  "plugins.security.ssl.http.enabled" = true
  "plugins.security.ssl.http.pemcert_filepath" = "server-cert.pem"
  "plugins.security.ssl.http.pemkey_filepath" = "server-key-pkcs8.pem"
  "plugins.security.ssl.http.pemtrustedcas_filepath" = "server-cert.pem"
  "plugins.security.ssl.transport.enforce_hostname_verification" = false
  "plugins.security.ssl.transport.pemcert_filepath" = "server-cert.pem"
  "plugins.security.ssl.transport.pemkey_filepath" = "server-key-pkcs8.pem"
  "plugins.security.ssl.transport.pemtrustedcas_filepath" = "server-cert.pem"
  "transport.host" = "127.0.0.1"
  DISABLE_INSTALL_DEMO_CONFIG = true
  OPENSEARCH_JAVA_OPTS = "-Xms512m -Xmx512m"
  

• config/opensearch-security/internal_users.yml

  ---
  # This is the internal user database
  # The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
  
  _meta:
    type: "internalusers"
    config_version: 2
  
  admin:
    hash: "$2y$12$gphHWN6wJJWel9mWFRjaN.HNhuxj/dD5Jqh..aOXDPzUe.6mX6My."
    reserved: true
    backend_roles:
    - "admin"
    description: "Demo admin user"
  
  kibanaserver:
    hash: "$2y$12$v6u/UphWPp0./rpbLtYffePkrZEz4D7TtIMpYZxZ9fd8GM7ZLxMBW"
    reserved: true
    description: "Demo kibanaserver user"
  

• config/opensearch-security/roles_mapping.yml

  _meta:
    type: "rolesmapping"
    config_version: 2
  
  all_access:
    reserved: false
    backend_roles:
    - "admin"
    users:
      - "admin"
    description: "Maps admin to all_access"
  
  security_rest_api_access:
    reserved: false
    backend_roles:
    - "admin"
    users:
      - "admin"
    description: "Maps admin to all_access"
  
  custom_all_access:
    reserved: false
    backend_roles:
    - "admin"
    users:
      - "admin"
    description: "Custom Override for all_access"
  
  own_index:
    reserved: false
    users:
    - "*"
    description: "Allow full access to an index named like the username"
  
  kibana_user:
    reserved: false
    backend_roles:
    - "kibanauser"
    - "Developers"
    description: "Maps kibanauser to kibana_user"
  
  readall:
    reserved: false
    backend_roles:
    - "readall"
    - "Developers"
  
  manage_snapshots:
    reserved: false
    backend_roles:
    - "snapshotrestore"
    - "Developers"
  
  kibana_server:
    reserved: true
    users:
    - "kibanaserver"
  

• opensearch-dashboards through environment variables

  OPENSEARCH_HOSTS = "[\"https://localhost:${NOMAD_PORT_opensearch_9200}\"]"
  SERVER_SSL_ENABLED = true
  SERVER_SSL_CERTIFICATE = "/opt/server-cert.pem"
  SERVER_SSL_KEY = "/opt/server-key-pkcs8.pem"
  OPENSEARCH_SSL_CERTIFICATEAUTHORITIES = "[\"/opt/server-cert.pem\"]"
  OPENSEARCH_USERNAME = "kibanaserver"
  OPENSEARCH_PASSWORD = "kibanaserver"
  LOGGING_VERBOSE = true
  

Relevant Logs or Screenshots:

@gunzl1ng3r You should move all the security plugin configuration to opensearch.yml and opensearch_dashboards.yml instead of using environmental variables.

You’ve disabled demo config installation, does your docker-compose executes sgadmin.sh script after creating the OpenSearch cluster?

Hello there!
I’d like to share here that I was having the same problem and moving list parameters from compose environment variables (like plugins.security.restapi.roles_enabled=[“all_access”, “security_rest_api_access”]) to opensearch.yml made It work properly.
I’m still using env variables, but just for things that could be customized, like certificate location, cluster name and so on. So, eveything that isn’t declared as environmental variables are set on opensearch.yml.
docker-compose.yml:

<...>
  opensearch-node1:
    image: docker.io/opensearchproject/opensearch:${OS_STACK_VERSION}
    container_name: ${ES_NODE}
    user: "1058"
    depends_on:
      - opensearch-setup-certs
    environment:
      - cluster.name=${CLUSTER_NAME}
      - node.name=${ES_NODE}
      - path.data=/usr/share/opensearch/
      - discovery.seed_hosts=${ES_NODE}
      - cluster.initial_cluster_manager_nodes=${ES_NODE}
      - plugins.security.ssl.transport.pemcert_filepath=certs/${ES_NODE}/${ES_NODE_CRT}
      - plugins.security.ssl.transport.pemkey_filepath=certs/${ES_NODE}/${ES_NODE_KEY}
      - plugins.security.ssl.transport.pemtrustedcas_filepath=certs/ca/${ES_CA_CRT}
      - plugins.security.ssl.transport.enforce_hostname_verification=false
      - plugins.security.ssl.http.enabled=true
      - plugins.security.ssl.http.pemcert_filepath=certs/${ES_NODE}/${ES_NODE_CRT}
      - plugins.security.ssl.http.pemkey_filepath=certs/${ES_NODE}/${ES_NODE_KEY}
      - plugins.security.ssl.http.pemtrustedcas_filepath=certs/ca/${ES_CA_CRT}
<...>

config/opensearch.yml:

---
http.host: 0.0.0.0
network.host: 0.0.0.0

plugins.security.allow_unsafe_democertificates: true
plugins.security.allow_default_init_securityindex: false
plugins.security.authcz.admin_dn:
  - CN=admin
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
node.max_local_storage_nodes: 3

@gunzl1ng3r please, tell us if you anchieved what you needed.

Sorry for the late response, but indee to my surprise moving the configurations to opensearch.yml worked.

I found it a little annoying that opensearch’s Docker image behaves inconsistently when it comes to configurations through environment variables.

The entrypoint.sh looks like pretty much everything should be configurable through environment variables.

Anyway, it works now.

Thanks everyone for the input